)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"7a89b624ddf1e9938e9cf1ada7ee21ea4f9ec572","unresolved":true,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"When TLS is used with ssl_ca_file, the Rabbit driver validates the"},{"line_number":10,"context_line":"certificate chain but does not verify the broker hostname. This could allow"},{"line_number":11,"context_line":"a MITM attacker with a certificate trusted by the deployment CA to"},{"line_number":12,"context_line":"impersonate the RabbitMQ broker."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This change adds ssl_enforce_hostname_verification. When enabled together"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"b47b40f4_2a9dbd68","line":11,"updated":"2026-05-11 13:53:19.000000000","message":"Can you wrap these are \u003c\u003d 72 characters","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"50b0379fa63f3c76a32b51451be1baed7d369ac9","unresolved":false,"context_lines":[{"line_number":8,"context_line":""},{"line_number":9,"context_line":"When TLS is used with ssl_ca_file, the Rabbit driver validates the"},{"line_number":10,"context_line":"certificate chain but does not verify the broker hostname. This could allow"},{"line_number":11,"context_line":"a MITM attacker with a certificate trusted by the deployment CA to"},{"line_number":12,"context_line":"impersonate the RabbitMQ broker."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This change adds ssl_enforce_hostname_verification. When enabled together"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"050339c3_eea2c524","line":11,"in_reply_to":"b47b40f4_2a9dbd68","updated":"2026-05-12 10:41:33.000000000","message":"Done","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"b2d488ec1f6679d89f783d8c49f572665ad9bc48","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1b79a1ee_23fd1d04","updated":"2026-05-11 11:36:53.000000000","message":"Leaving a couple of comments for record, because we might want to address these in follow-up.","commit_id":"8cd2e33d3d21812244aa10bec4d5838f887cbc4c"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"5148c9eef018db26d5d4266f53ac8a679b542aa4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"61c8938e_e29b0b8c","in_reply_to":"1b79a1ee_23fd1d04","updated":"2026-05-11 12:04:18.000000000","message":"Thanks a lot for the code review, updated to use `oslo_utils.versionutils` for the Kombu version check and reworded the release note to be self-contained.","commit_id":"8cd2e33d3d21812244aa10bec4d5838f887cbc4c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b9a4588b8e3d81027813a6e6795c87ad330fe8b5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"5a0a5b1e_a61ec124","updated":"2026-05-11 20:57:36.000000000","message":"my -1 is not to fail explicitly for kombu \u003c5.2.0 as operator can handle it via certificate.","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"f0ba30c2fca423154240aef814aaa7d8047e4dd0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"5e5057ad_82fccf3f","updated":"2026-05-12 17:00:35.000000000","message":"even it is already merged but confirming my vote here as lgtm. all my comments were addressed, thanks.","commit_id":"73dc887a9caf7540685bdcb148f63d1a91f34bc0"}],"oslo_messaging/_drivers/impl_rabbit.py":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"b2d488ec1f6679d89f783d8c49f572665ad9bc48","unresolved":true,"context_lines":[{"line_number":281,"context_line":"LOG \u003d logging.getLogger(__name__)"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"def _kombu_version_tuple():"},{"line_number":285,"context_line":"    match \u003d re.match(r\u0027^(\\d+)\\.(\\d+)\\.(\\d+)\u0027, kombu.__version__)"},{"line_number":286,"context_line":"    if not match:"},{"line_number":287,"context_line":"        return (0, 0, 0)"}],"source_content_type":"text/x-python","patch_set":1,"id":"ccf4ac4b_aa067ba2","line":284,"range":{"start_line":284,"start_character":4,"end_line":284,"end_character":24},"updated":"2026-05-11 11:36:53.000000000","message":"We have oslo_utils.versionutils for this purpose...","commit_id":"8cd2e33d3d21812244aa10bec4d5838f887cbc4c"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"1593e16e5544cb5ae93dd880bc6aa1c8e4c0699e","unresolved":false,"context_lines":[{"line_number":281,"context_line":"LOG \u003d logging.getLogger(__name__)"},{"line_number":282,"context_line":""},{"line_number":283,"context_line":""},{"line_number":284,"context_line":"def _kombu_version_tuple():"},{"line_number":285,"context_line":"    match \u003d re.match(r\u0027^(\\d+)\\.(\\d+)\\.(\\d+)\u0027, kombu.__version__)"},{"line_number":286,"context_line":"    if not match:"},{"line_number":287,"context_line":"        return (0, 0, 0)"}],"source_content_type":"text/x-python","patch_set":1,"id":"35089d42_5afedce4","line":284,"range":{"start_line":284,"start_character":4,"end_line":284,"end_character":24},"in_reply_to":"ccf4ac4b_aa067ba2","updated":"2026-05-11 12:02:51.000000000","message":"Done","commit_id":"8cd2e33d3d21812244aa10bec4d5838f887cbc4c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"7a89b624ddf1e9938e9cf1ada7ee21ea4f9ec572","unresolved":true,"context_lines":[{"line_number":87,"context_line":"               help\u003d\u0027SSL certification authority file \u0027"},{"line_number":88,"context_line":"                    \u0027(valid only if SSL enabled).\u0027),"},{"line_number":89,"context_line":"    cfg.BoolOpt(\u0027ssl_enforce_hostname_verification\u0027,"},{"line_number":90,"context_line":"                default\u003dTrue,"},{"line_number":91,"context_line":"                help\u003d\u0027When true (default on master), verify the broker \u0027"},{"line_number":92,"context_line":"                     \u0027hostname against the certificate when \u0027"},{"line_number":93,"context_line":"                     \u0027``ssl_ca_file`` is set. Requires Kombu \u003e\u003d 5.2.0 when \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"aef86c6a_ce9347ab","line":90,"updated":"2026-05-11 13:53:19.000000000","message":"Should this be deprecated? Is there a good reason to keep this option around after a migration period?","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6f15845b35d1b85356d8a866d2e1dce29c692445","unresolved":false,"context_lines":[{"line_number":87,"context_line":"               help\u003d\u0027SSL certification authority file \u0027"},{"line_number":88,"context_line":"                    \u0027(valid only if SSL enabled).\u0027),"},{"line_number":89,"context_line":"    cfg.BoolOpt(\u0027ssl_enforce_hostname_verification\u0027,"},{"line_number":90,"context_line":"                default\u003dTrue,"},{"line_number":91,"context_line":"                help\u003d\u0027When true (default on master), verify the broker \u0027"},{"line_number":92,"context_line":"                     \u0027hostname against the certificate when \u0027"},{"line_number":93,"context_line":"                     \u0027``ssl_ca_file`` is set. Requires Kombu \u003e\u003d 5.2.0 when \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"45bfa402_857798d6","line":90,"in_reply_to":"9096a5b2_d032a2fa","updated":"2026-05-12 10:20:32.000000000","message":"Done","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b9a4588b8e3d81027813a6e6795c87ad330fe8b5","unresolved":true,"context_lines":[{"line_number":87,"context_line":"               help\u003d\u0027SSL certification authority file \u0027"},{"line_number":88,"context_line":"                    \u0027(valid only if SSL enabled).\u0027),"},{"line_number":89,"context_line":"    cfg.BoolOpt(\u0027ssl_enforce_hostname_verification\u0027,"},{"line_number":90,"context_line":"                default\u003dTrue,"},{"line_number":91,"context_line":"                help\u003d\u0027When true (default on master), verify the broker \u0027"},{"line_number":92,"context_line":"                     \u0027hostname against the certificate when \u0027"},{"line_number":93,"context_line":"                     \u0027``ssl_ca_file`` is set. Requires Kombu \u003e\u003d 5.2.0 when \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"9096a5b2_d032a2fa","line":90,"in_reply_to":"aef86c6a_ce9347ab","updated":"2026-05-11 20:57:36.000000000","message":"++, agree. it should be temporary for migration and we can mark it deprecated for removal in 2027.2 (after including at least one SLURP release)","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"7a89b624ddf1e9938e9cf1ada7ee21ea4f9ec572","unresolved":true,"context_lines":[{"line_number":88,"context_line":"                    \u0027(valid only if SSL enabled).\u0027),"},{"line_number":89,"context_line":"    cfg.BoolOpt(\u0027ssl_enforce_hostname_verification\u0027,"},{"line_number":90,"context_line":"                default\u003dTrue,"},{"line_number":91,"context_line":"                help\u003d\u0027When true (default on master), verify the broker \u0027"},{"line_number":92,"context_line":"                     \u0027hostname against the certificate when \u0027"},{"line_number":93,"context_line":"                     \u0027``ssl_ca_file`` is set. Requires Kombu \u003e\u003d 5.2.0 when \u0027"},{"line_number":94,"context_line":"                     \u0027multiple RabbitMQ brokers are listed in the transport \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"d5a40d81_2bf96af1","line":91,"updated":"2026-05-11 13:53:19.000000000","message":"What is `master` here?","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"5c8b3672f2ebf50ea34b20b0e2fcb781f82d511a","unresolved":false,"context_lines":[{"line_number":88,"context_line":"                    \u0027(valid only if SSL enabled).\u0027),"},{"line_number":89,"context_line":"    cfg.BoolOpt(\u0027ssl_enforce_hostname_verification\u0027,"},{"line_number":90,"context_line":"                default\u003dTrue,"},{"line_number":91,"context_line":"                help\u003d\u0027When true (default on master), verify the broker \u0027"},{"line_number":92,"context_line":"                     \u0027hostname against the certificate when \u0027"},{"line_number":93,"context_line":"                     \u0027``ssl_ca_file`` is set. Requires Kombu \u003e\u003d 5.2.0 when \u0027"},{"line_number":94,"context_line":"                     \u0027multiple RabbitMQ brokers are listed in the transport \u0027"}],"source_content_type":"text/x-python","patch_set":3,"id":"ffe84d37_f84f4149","line":91,"in_reply_to":"d5a40d81_2bf96af1","updated":"2026-05-12 10:03:44.000000000","message":"Done","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"7a89b624ddf1e9938e9cf1ada7ee21ea4f9ec572","unresolved":true,"context_lines":[{"line_number":288,"context_line":"    \"\"\""},{"line_number":289,"context_line":"    try:"},{"line_number":290,"context_line":"        return ("},{"line_number":291,"context_line":"            versionutils.convert_version_to_tuple(kombu.__version__) \u003e\u003d"},{"line_number":292,"context_line":"            versionutils.convert_version_to_tuple(minimum)"},{"line_number":293,"context_line":"        )"},{"line_number":294,"context_line":"    except ValueError:"}],"source_content_type":"text/x-python","patch_set":3,"id":"346f3691_6403ab73","line":291,"updated":"2026-05-11 13:53:19.000000000","message":"rather than relying on the `__version__` attribute (which is likely to be removed at some point: I\u0027ve seen them removed from the likes of Django already), would it make sense to use `importlib.metadata.version` instead?","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"5c8b3672f2ebf50ea34b20b0e2fcb781f82d511a","unresolved":false,"context_lines":[{"line_number":288,"context_line":"    \"\"\""},{"line_number":289,"context_line":"    try:"},{"line_number":290,"context_line":"        return ("},{"line_number":291,"context_line":"            versionutils.convert_version_to_tuple(kombu.__version__) \u003e\u003d"},{"line_number":292,"context_line":"            versionutils.convert_version_to_tuple(minimum)"},{"line_number":293,"context_line":"        )"},{"line_number":294,"context_line":"    except ValueError:"}],"source_content_type":"text/x-python","patch_set":3,"id":"5037d4ad_172db1e1","line":291,"in_reply_to":"346f3691_6403ab73","updated":"2026-05-12 10:03:44.000000000","message":"Done","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"7a89b624ddf1e9938e9cf1ada7ee21ea4f9ec572","unresolved":true,"context_lines":[{"line_number":951,"context_line":"        if len(url.hosts) \u003d\u003d 1:"},{"line_number":952,"context_line":"            return url.hosts[0].hostname"},{"line_number":953,"context_line":"        if len(url.hosts) \u003e 1:"},{"line_number":954,"context_line":"            if not _kombu_version_at_least(\u00275.2.0\u0027):"},{"line_number":955,"context_line":"                msg \u003d ("},{"line_number":956,"context_line":"                    \"RabbitMQ TLS hostname verification with multiple \""},{"line_number":957,"context_line":"                    \"brokers requires Kombu \u003e\u003d 5.2.0, which substitutes \""}],"source_content_type":"text/x-python","patch_set":3,"id":"e2f7bb4c_66097a77","line":954,"updated":"2026-05-11 13:53:19.000000000","message":"We only have one user of this. Can\u0027t we just inline it?\n\nAlso, we need to backport this so can\u0027t do this now, but 5.2.0 is 4.5 years old. We should do a follow-up to drop this check and just bump the minimum version.","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"5c8b3672f2ebf50ea34b20b0e2fcb781f82d511a","unresolved":false,"context_lines":[{"line_number":951,"context_line":"        if len(url.hosts) \u003d\u003d 1:"},{"line_number":952,"context_line":"            return url.hosts[0].hostname"},{"line_number":953,"context_line":"        if len(url.hosts) \u003e 1:"},{"line_number":954,"context_line":"            if not _kombu_version_at_least(\u00275.2.0\u0027):"},{"line_number":955,"context_line":"                msg \u003d ("},{"line_number":956,"context_line":"                    \"RabbitMQ TLS hostname verification with multiple \""},{"line_number":957,"context_line":"                    \"brokers requires Kombu \u003e\u003d 5.2.0, which substitutes \""}],"source_content_type":"text/x-python","patch_set":3,"id":"51a93ef3_445f6642","line":954,"in_reply_to":"0d833999_bb9d0a9a","updated":"2026-05-12 10:03:44.000000000","message":"Done","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b9a4588b8e3d81027813a6e6795c87ad330fe8b5","unresolved":true,"context_lines":[{"line_number":951,"context_line":"        if len(url.hosts) \u003d\u003d 1:"},{"line_number":952,"context_line":"            return url.hosts[0].hostname"},{"line_number":953,"context_line":"        if len(url.hosts) \u003e 1:"},{"line_number":954,"context_line":"            if not _kombu_version_at_least(\u00275.2.0\u0027):"},{"line_number":955,"context_line":"                msg \u003d ("},{"line_number":956,"context_line":"                    \"RabbitMQ TLS hostname verification with multiple \""},{"line_number":957,"context_line":"                    \"brokers requires Kombu \u003e\u003d 5.2.0, which substitutes \""}],"source_content_type":"text/x-python","patch_set":3,"id":"0d833999_bb9d0a9a","line":954,"in_reply_to":"e2f7bb4c_66097a77","updated":"2026-05-11 20:57:36.000000000","message":"In all supported stable releases, upper constraints for kombu version is \u003e 5.2.0 (5.4.2 in 2025.1 [1]) so we are good to bump the min version (at least in master)\n\n[1] https://github.com/openstack/requirements/blob/stable/2025.1/upper-constraints.txt#L465","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b9a4588b8e3d81027813a6e6795c87ad330fe8b5","unresolved":true,"context_lines":[{"line_number":950,"context_line":"    def _get_ssl_server_hostname(url):"},{"line_number":951,"context_line":"        if len(url.hosts) \u003d\u003d 1:"},{"line_number":952,"context_line":"            return url.hosts[0].hostname"},{"line_number":953,"context_line":"        if len(url.hosts) \u003e 1:"},{"line_number":954,"context_line":"            if not _kombu_version_at_least(\u00275.2.0\u0027):"},{"line_number":955,"context_line":"                msg \u003d ("},{"line_number":956,"context_line":"                    \"RabbitMQ TLS hostname verification with multiple \""},{"line_number":957,"context_line":"                    \"brokers requires Kombu \u003e\u003d 5.2.0, which substitutes \""},{"line_number":958,"context_line":"                    \"server_hostname from the active broker. Upgrade Kombu, \""},{"line_number":959,"context_line":"                    \"or set [oslo_messaging_rabbit] \""},{"line_number":960,"context_line":"                    \"ssl_enforce_hostname_verification\u003dfalse to keep the \""},{"line_number":961,"context_line":"                    \"previous behavior without hostname verification.\")"},{"line_number":962,"context_line":"                raise DriverLoadFailure(url.transport, RuntimeError(msg))"},{"line_number":963,"context_line":"            # Kombu \u003e\u003d 5.2.0 substitutes None with the selected broker"},{"line_number":964,"context_line":"            # hostname after failover chooses the active URL."},{"line_number":965,"context_line":"            return None"},{"line_number":966,"context_line":"        return None"},{"line_number":967,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"635f7817_f7eadd8e","line":964,"range":{"start_line":953,"start_character":0,"end_line":964,"end_character":61},"updated":"2026-05-11 20:57:36.000000000","message":"For the multihost case, returning \u0027None\u0027 works fine with Kombu \u003e\u003d 5.2.0, but with Kombu \u003c 5.2.0, the hostname verification can still be achieved in multiple ways. One option is to use a SAN/wildcard certificate that covers all broker hostnames. I know it\u0027s less preferable, but still better than failing. If anyone cannot upgrade the kombu then they should be able to do the hostname verification. I agree that we can add a warning msg to let them know about it and a recommendation to upgrade Kobmu \u003e\u003d5.2.0.\n\nIn summary, IMO we should not fail it for kombu \u003c5.2.0 instead let\u0027s pass the url.hosts[0].hostname with a warning msg that the certificate should be able to cover all mentioned broken hostnames or upgrade to kombu\u003e\u003d5.2.0. and if still verification then it is fine.","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"5c8b3672f2ebf50ea34b20b0e2fcb781f82d511a","unresolved":false,"context_lines":[{"line_number":950,"context_line":"    def _get_ssl_server_hostname(url):"},{"line_number":951,"context_line":"        if len(url.hosts) \u003d\u003d 1:"},{"line_number":952,"context_line":"            return url.hosts[0].hostname"},{"line_number":953,"context_line":"        if len(url.hosts) \u003e 1:"},{"line_number":954,"context_line":"            if not _kombu_version_at_least(\u00275.2.0\u0027):"},{"line_number":955,"context_line":"                msg \u003d ("},{"line_number":956,"context_line":"                    \"RabbitMQ TLS hostname verification with multiple \""},{"line_number":957,"context_line":"                    \"brokers requires Kombu \u003e\u003d 5.2.0, which substitutes \""},{"line_number":958,"context_line":"                    \"server_hostname from the active broker. Upgrade Kombu, \""},{"line_number":959,"context_line":"                    \"or set [oslo_messaging_rabbit] \""},{"line_number":960,"context_line":"                    \"ssl_enforce_hostname_verification\u003dfalse to keep the \""},{"line_number":961,"context_line":"                    \"previous behavior without hostname verification.\")"},{"line_number":962,"context_line":"                raise DriverLoadFailure(url.transport, RuntimeError(msg))"},{"line_number":963,"context_line":"            # Kombu \u003e\u003d 5.2.0 substitutes None with the selected broker"},{"line_number":964,"context_line":"            # hostname after failover chooses the active URL."},{"line_number":965,"context_line":"            return None"},{"line_number":966,"context_line":"        return None"},{"line_number":967,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"7eb0173e_2df74392","line":964,"range":{"start_line":953,"start_character":0,"end_line":964,"end_character":61},"in_reply_to":"635f7817_f7eadd8e","updated":"2026-05-12 10:03:44.000000000","message":"Done","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6f15845b35d1b85356d8a866d2e1dce29c692445","unresolved":true,"context_lines":[{"line_number":938,"context_line":"            return url.hosts[0].hostname"},{"line_number":939,"context_line":"        if len(url.hosts) \u003e 1:"},{"line_number":940,"context_line":"            try:"},{"line_number":941,"context_line":"                kombu_ver \u003d importlib.metadata.version(\u0027kombu\u0027)"},{"line_number":942,"context_line":"            except importlib.metadata.PackageNotFoundError:"},{"line_number":943,"context_line":"                kombu_ver \u003d getattr(kombu, \u0027__version__\u0027, \u0027\u0027) or \u0027\u0027"},{"line_number":944,"context_line":"            try:"},{"line_number":945,"context_line":"                kombu_substitutes_failover_hostname \u003d ("},{"line_number":946,"context_line":"                    versionutils.convert_version_to_tuple(kombu_ver) \u003e\u003d"}],"source_content_type":"text/x-python","patch_set":4,"id":"52263167_7b52ba9a","line":943,"range":{"start_line":941,"start_character":63,"end_line":943,"end_character":67},"updated":"2026-05-12 10:20:32.000000000","message":"I don\u0027t believe this fallback should be needed?","commit_id":"5783ffb00df9ee33e27b90039243353d79dd59b7"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"72ad0bb6f5ca4f3b3476674185673e3723fb3893","unresolved":false,"context_lines":[{"line_number":938,"context_line":"            return url.hosts[0].hostname"},{"line_number":939,"context_line":"        if len(url.hosts) \u003e 1:"},{"line_number":940,"context_line":"            try:"},{"line_number":941,"context_line":"                kombu_ver \u003d importlib.metadata.version(\u0027kombu\u0027)"},{"line_number":942,"context_line":"            except importlib.metadata.PackageNotFoundError:"},{"line_number":943,"context_line":"                kombu_ver \u003d getattr(kombu, \u0027__version__\u0027, \u0027\u0027) or \u0027\u0027"},{"line_number":944,"context_line":"            try:"},{"line_number":945,"context_line":"                kombu_substitutes_failover_hostname \u003d ("},{"line_number":946,"context_line":"                    versionutils.convert_version_to_tuple(kombu_ver) \u003e\u003d"}],"source_content_type":"text/x-python","patch_set":4,"id":"f5e15b23_87d0ba38","line":943,"range":{"start_line":941,"start_character":63,"end_line":943,"end_character":67},"in_reply_to":"52263167_7b52ba9a","updated":"2026-05-12 10:35:08.000000000","message":"Done","commit_id":"5783ffb00df9ee33e27b90039243353d79dd59b7"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6f15845b35d1b85356d8a866d2e1dce29c692445","unresolved":true,"context_lines":[{"line_number":944,"context_line":"            try:"},{"line_number":945,"context_line":"                kombu_substitutes_failover_hostname \u003d ("},{"line_number":946,"context_line":"                    versionutils.convert_version_to_tuple(kombu_ver) \u003e\u003d"},{"line_number":947,"context_line":"                    versionutils.convert_version_to_tuple(\u00275.2.0\u0027)"},{"line_number":948,"context_line":"                )"},{"line_number":949,"context_line":"            except ValueError:"},{"line_number":950,"context_line":"                kombu_substitutes_failover_hostname \u003d False"}],"source_content_type":"text/x-python","patch_set":4,"id":"28aa0adb_bbb8ac24","line":947,"updated":"2026-05-12 10:20:32.000000000","message":"```suggestion\n                    (5, 2, 0)\n```","commit_id":"5783ffb00df9ee33e27b90039243353d79dd59b7"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"72ad0bb6f5ca4f3b3476674185673e3723fb3893","unresolved":false,"context_lines":[{"line_number":944,"context_line":"            try:"},{"line_number":945,"context_line":"                kombu_substitutes_failover_hostname \u003d ("},{"line_number":946,"context_line":"                    versionutils.convert_version_to_tuple(kombu_ver) \u003e\u003d"},{"line_number":947,"context_line":"                    versionutils.convert_version_to_tuple(\u00275.2.0\u0027)"},{"line_number":948,"context_line":"                )"},{"line_number":949,"context_line":"            except ValueError:"},{"line_number":950,"context_line":"                kombu_substitutes_failover_hostname \u003d False"}],"source_content_type":"text/x-python","patch_set":4,"id":"1ed06e45_85fa4b86","line":947,"in_reply_to":"28aa0adb_bbb8ac24","updated":"2026-05-12 10:35:08.000000000","message":"Done","commit_id":"5783ffb00df9ee33e27b90039243353d79dd59b7"}],"releasenotes/notes/rabbit-ssl-hostname-verification-option.yaml":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"b2d488ec1f6679d89f783d8c49f572665ad9bc48","unresolved":true,"context_lines":[{"line_number":8,"context_line":"    could allow a man-in-the-middle attacker with a trusted certificate to"},{"line_number":9,"context_line":"    impersonate the broker."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    This change enables proper hostname verification when ``ssl_ca_file`` is"},{"line_number":12,"context_line":"    set and ``[oslo_messaging_rabbit] ssl_enforce_hostname_verification`` is"},{"line_number":13,"context_line":"    enabled. Using ``ssl\u003dtrue`` without ``ssl_ca_file`` still does not verify"},{"line_number":14,"context_line":"    the broker hostname."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"d21835c3_9517c4fd","line":11,"range":{"start_line":11,"start_character":4,"end_line":11,"end_character":16},"updated":"2026-05-11 11:36:53.000000000","message":"This appears in a release note so readers don\u0027t know what \"this change\" is.","commit_id":"8cd2e33d3d21812244aa10bec4d5838f887cbc4c"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"1593e16e5544cb5ae93dd880bc6aa1c8e4c0699e","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    could allow a man-in-the-middle attacker with a trusted certificate to"},{"line_number":9,"context_line":"    impersonate the broker."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    This change enables proper hostname verification when ``ssl_ca_file`` is"},{"line_number":12,"context_line":"    set and ``[oslo_messaging_rabbit] ssl_enforce_hostname_verification`` is"},{"line_number":13,"context_line":"    enabled. Using ``ssl\u003dtrue`` without ``ssl_ca_file`` still does not verify"},{"line_number":14,"context_line":"    the broker hostname."}],"source_content_type":"text/x-yaml","patch_set":1,"id":"9bce0c22_a5a2e1e8","line":11,"range":{"start_line":11,"start_character":4,"end_line":11,"end_character":16},"in_reply_to":"d21835c3_9517c4fd","updated":"2026-05-11 12:02:51.000000000","message":"Done","commit_id":"8cd2e33d3d21812244aa10bec4d5838f887cbc4c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"7a89b624ddf1e9938e9cf1ada7ee21ea4f9ec572","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Fixes CVE-2026-44393."},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"    When using TLS with ``ssl_ca_file``, oslo.messaging validated the"},{"line_number":7,"context_line":"    certificate chain but did not verify the RabbitMQ broker hostname. This"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"4858a488_e83e5414","line":4,"range":{"start_line":4,"start_character":10,"end_line":4,"end_character":24},"updated":"2026-05-11 13:53:19.000000000","message":"Is this a valid CVE yet? I see it referenced on Launchpad but can\u0027t find any other references.","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"5c8b3672f2ebf50ea34b20b0e2fcb781f82d511a","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"security:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Fixes CVE-2026-44393."},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"    When using TLS with ``ssl_ca_file``, oslo.messaging validated the"},{"line_number":7,"context_line":"    certificate chain but did not verify the RabbitMQ broker hostname. This"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"99f8151b_9ba6dff0","line":4,"range":{"start_line":4,"start_character":10,"end_line":4,"end_character":24},"in_reply_to":"4858a488_e83e5414","updated":"2026-05-12 10:03:44.000000000","message":"Done","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"b9a4588b8e3d81027813a6e6795c87ad330fe8b5","unresolved":true,"context_lines":[{"line_number":13,"context_line":"    enabled. Using ``ssl\u003dtrue`` without ``ssl_ca_file`` still does not verify"},{"line_number":14,"context_line":"    the broker hostname."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"    On master, ``ssl_enforce_hostname_verification`` defaults to ``true``."},{"line_number":17,"context_line":"    Stable branches are expected to default it to ``false`` to preserve"},{"line_number":18,"context_line":"    existing behavior during backports until operators opt in."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"    Transport URLs listing multiple RabbitMQ brokers require Kombu \u003e\u003d 5.2.0"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"1c1da7ba_12875e6a","line":17,"range":{"start_line":16,"start_character":4,"end_line":17,"end_character":20},"updated":"2026-05-11 20:57:36.000000000","message":"I am not sure \u0027master\u0027 and stable branches terminology are easy to understand when people refer it in future. please mention the oslo.messaging (and openstack release version) to convey the same","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"},{"author":{"_account_id":31245,"name":"Daniel Bengtsson","email":"dbengt@redhat.com","username":"damani42"},"change_message_id":"5c8b3672f2ebf50ea34b20b0e2fcb781f82d511a","unresolved":false,"context_lines":[{"line_number":13,"context_line":"    enabled. Using ``ssl\u003dtrue`` without ``ssl_ca_file`` still does not verify"},{"line_number":14,"context_line":"    the broker hostname."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"    On master, ``ssl_enforce_hostname_verification`` defaults to ``true``."},{"line_number":17,"context_line":"    Stable branches are expected to default it to ``false`` to preserve"},{"line_number":18,"context_line":"    existing behavior during backports until operators opt in."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"    Transport URLs listing multiple RabbitMQ brokers require Kombu \u003e\u003d 5.2.0"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"2cbbc835_b6c34abe","line":17,"range":{"start_line":16,"start_character":4,"end_line":17,"end_character":20},"in_reply_to":"1c1da7ba_12875e6a","updated":"2026-05-12 10:03:44.000000000","message":"Done","commit_id":"d755bcea8284661ed4525e144e619b2554c991c9"}]}